Solved

Active Directory Lightweight Directory Services (AD-LDS) - What are you using it for, and how?

Posted on 2015-02-24
5
299 Views
Last Modified: 2015-02-26
Hello,

I am working with AD-LDS and am trying to create a single sign-on solution that can be used for web servers / applications / etc....can anyone describe what they are using AD-LDS for and how they're syncing from Active Directory?
0
Comment
Question by:jkeegan123
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40629445
AD-LDS is not the right tool for that job. If you are looking for single sign-on, you want ADFS.
0
 
LVL 5

Author Comment

by:jkeegan123
ID: 40629679
Perhaps I was not being clear, I thought that AD-LDS was the right tool here.  What i want to do is combine multiple directories using AD-LDS so that (5) or so Windows domains in different sites that are connected via VPN without trusts can make use of the Single AD-LDS directory that we pull / sync accounts to from each of the 5 domains.  

Am I getting warmer?  :)
0
 
LVL 58

Accepted Solution

by:
Cliff Galiher earned 500 total points
ID: 40629716
*IF* you want single sign-on, no. Windows specifically hardens credential storage on DCs so there is no legitimate way to sync credentials to AD-LDS. Also AD-LDS doesn't have Kerberos support built in like AD-DS. You could create a custom property in AD-LDS (after all, that's why it is there) to store passwords (hashed or otherwise) but you'd be writing your own authentication mechanism to write that property and it would *not* be an SSO experience at all. Because it'd be a custom property and a custom authentication method, there is no way to even enforce that the passwords are the same.

AD-LDS *does* support proxying authentication back into AD-DS but it only does so if AD-LDS is a member server and it only does so to a domain controller on the domain in which the AD-LDS server is a member of. Which would not work with your 5-domain scenario with no trusts, as it would not be able to proxy requests to four of the domains and the DC's not having trusts, would not be able to handle the proxied request.

In short, if you have permissions to sync AD objects, I'm not sure why you wouldn't implement trusts. That'd be a far more efficient process. And for most SSO web scenarios, you'll need ADFS any which way. So I still don't see AD-LDS being the right tool here.
0
 
LVL 5

Author Closing Comment

by:jkeegan123
ID: 40634107
Thank you, that was a very succinct explanation for why this will not work.

I REALLY think that the tech community at large SEVERELY misunderstands what AD-LDS can and cannot do...What I learned through this long journey is:  

- Exactly how to work and setup AD-LDS --> It's very useful and cool
- Exactly the nuances to setup Schema differences between domains / partitions.  This was useful in and of itself.
- The tech community enjoys very much posting 75% of their experience and missing the last 25%.  This is probably because most people have no idea exactly what this is capable of.

Thank you VERY much for your help.

I still need to sync passwords between domains, this is more of a service-provider relationship than a true multi-domain scenario where domains can be trusted...do you have any tips on using another tool to do this, perhaps Forefront Identity Management (FIM)?  I see that RACKSPACE, Intermedia, etc...do similar syncs that I'm talking about, where we have to target a specific OU for source accounts (can't take the entire directory, bad idea...) and PCNS (Password Change Notification Service) runs on every DC to notify the provider of the password change.

Do you know of any way to implement something like this?  I'm willing to go down the FIM road, but I need to know if this is the right tool before going on this journey.

Thanks!
0
 
LVL 58

Expert Comment

by:Cliff Galiher
ID: 40634128
FIM can do this and is actually what Microsoft's own implementation of dirsync was built on.
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
A hard and fast method for reducing Active Directory Administrators members.
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

630 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question